from the and-everyone's-a-little-less-safe-now dept

The long history of US intelligence agencies' access to software exploits is well-documented. In the interest of "safety," the US government has undermined the safety of millions of users by gathering up exploits and utilizing them for as long as possible before patches and updates close the security holes. Some it acquires directly from companies that report holes in their systems directly to the NSA and other agencies. Others it buys from contractors that specialize in probing software for usable exploits.

Heather Akers-Healy, using Muckrock's FOIA service, recently obtained a document from the NSA (via a FOIA request) detailing its purchase of exploits from Vupen, a French security company specializing in sellable exploits. Unfortunately, the details in this "detailing" are incredibly sparse. Most of what might be interesting is redacted and a majority of the document is standard contractual clauses.

If there's anything of interest here (beyond the purchase of exploits), it's the fact that the transaction takes place on a nondescript form which can be used to handle a variety of products. Due to the standardized wording, it almost appears as though the NSA has the option to purchase exploits by the truckload -- and that said exploits can only be delivered during the normal receiving hours of 7:30 am - 2:30 pm.

That being said, the purchase of exploits is something the NSA has been pretty open about (comparatively). Vupen, or at least its founder and CEO Chaouki Bekrar (who refers to himself as the "Darth Vader of Cybersecurity"), seems rather open about the exploit market itself. As Muckrock points out, Bekrar suggested other FOIA request topics when confronted with this document.

The "Binary Analysis and Exploits" subscription (pre-paid, yearly) that the NSA purchased is described on Vupen's site as more of a defensive product, but it's highly unlikely intelligence the agency viewed it the same way.

With 15 to 20 binary analysis and private 1-day exploits/PoCs released by VUPEN each month, the VUPEN Binary Analysis and Exploits service allows gov organizations to quickly and easily evaluate risks related the most recent vulnerabilities, and protect national infrastructures against critical vulnerabilities before they are exploited in the wild.

While the NSA's document may lack a lot of details, a brochure obtained by Wikileaks shows what's available in Vupen's offensive package. This service targets law enforcement agencies (LEAs) as well as government agencies. LEAs could certainly be considered a "growth market," especially since so many are "rebranding" themselves as entities lying somewhere between a military force and an unofficial FBI field office.

What this program does is turn your subscription fee into credits and allow you (the LEA/government) to buy exploits with these credits (based on how valuable Vupen feels they are). It's like a Wii store for vulnerabilities. The ultimate aim?

VUPEN Exploits for Law Enforcement Agencies aim to deliver exclusive exploit codes for undisclosed vulnerabilities discovered in-house by VUPEN security researchers. This is a reliable and secure approach to help LEAs and investigators in covertly attacking and gaining access to remote computer systems.

Now, Vupen states on its site and in its brochures that it will only sell to "trusted countries and government agencies." Even if that is entirely true, the underlying issue doesn't go away. Instead of identifying holes and working with software companies to get them patched (or at least informing the general public), it's selling these off to various intelligence/law enforcement agencies.

If Vupen can find these exploitable holes, so can other untrustworthy actors, whether they're governments that don't quite make the "trusted" list or simply individuals looking to profit on the misery of others. Vupen can't corner this market. A security hole is a security hole and no one owns it or can prevent others from exploiting it (other than by closing the hole). What it's selling isn't necessarily scarce and what it's doing is allowing the public (including paying customers) to assume the risk while it profits.

from the let's-walk-this-through dept

A few folks have sent over variations on two different reports concerning the music industry, with some suggesting that this is "proof" that the recording industry's "war on piracy" has been effective on two fronts: increasing sales and reducing piracy. Of course, for many years, we've questioned whether or not reducing piracy actually increases sales, so we looked closely at the numbers and they don't seem to say what some people think they're saying. The Hollywood Reporter has a good summary of both reports. One comes from IFPI, celebrating that "global recorded music revenue" rose 0.3% in 2012. That is, obviously, a tiny increase, but it is an increase. Of course, as we've noted, "recorded" music revenue is merely one piece of the wider music industry ecosystem -- and that entire ecosystem has been growing for quite some time.

The second report comes from one of the industry's favorite researchers, NPD, claiming a massive decline in music file sharing (based on consumer surveys). I've found NPD's data to be suspect in the past, but let's just assume this is true. Then, can we reach the conclusion that the industry's anti-piracy efforts both worked and that it led to increased sales?

Actually... no. Not even close. We can see this pretty clearly just by looking beyond the recorded music market, to the wider file sharing space. Various reports have made it clear that widespread file sharing (mostly of infringing content) has continued to grow quite rapidly during the same time period. Sandvine reports (pdf) that BitTorrent traffic increased 40% over the same basic time frame. Or, zero in on a different market beyond music. How about software? The BSA's annual report continues to show increases in "piracy."

What does that say? Well, if wider anti-piracy campaigns were effective, we wouldn't just be seeing a decline in music infringement. We'd see similar declines across the board. But the overall space and some other, similar, markets are showing increases in infringing content spreading.

That leads us to the much more reasonable hypothesis: the reason that music piracy is down and revenue is up is because the industry has finally started allowing more innovation into the market. Not surprisingly, this is exactly what we've been arguing for years. If you let the tech industry create useful new services that better provide the public with what they want, you get services and products that people are willing to pay for. And when that happens, infringement decreases, because the legitimate and authorized services are better than infringing. It's why music infringement fell off a cliff in Sweden when Spotify launched there, despite also being the home of The Pirate Bay. Notably, when music infringement plummeted in Sweden, other types of infringement did not similarly drop.

In other words, for all the complaints about these new services, and the many, many attempts to hold them back or neuter them, letting new services grow and thrive seems to be the best "anti-piracy" measure that the record labels could have used. And yet it still thinks it needs to focus on punishing fans and limiting services.

from the watched-any-good-LICENSES-lately? dept

The best way to combat piracy is to offer content at a reasonable price, make it easily accessible and hamper it with as few limitations as possible. Very, very slowly, the major studios are coming around to this line of thinking. A few tentative (and pretty much awful) steps have been taken, but it seems that for every minute, baby step forward, the motion picture industry staggers several steps back.

Case in point: Amazon's Instant Video service, which has "over 100,000 top movies and TV shows to rent or buy." This includes many new releases, and the purchaser can stream the movie indefinitely and at any time to compatible devices. The purchaser also has the option to download the movie to a PC or Kindle Fire for viewing without an internet connection.

Consumerist reader Rebecca found this out the hard way, when she purchased Puss In Boots for $14.99 from Amazon, believing that, per Amazon’s marketing, she would be able to watch the movie when she wanted and for as many times as she wanted.

And all was going well for a few weeks until Rebecca went to stream Puss In Boots and instead saw a message stating that the film was no longer available for viewing.

As Rebecca found out, "any time" means "any time the studio is not currently milking every last dollar out of its latest release by shuffling it in and out of rental, PPV and premium cable windows." Why these windows should matter to someone who has already paid for the movie is beyond me. After all, the purchaser should be able to set his or her own "window," starting from the point they paid for the movie and going forward.

Amazon's marketing seems to agree with this customer-friendly "any time window." But once something like this happens, the real details come out. Rebecca contacted Amazon for some clarification on this bullshit "anomaly" and received this:

Due to licensing restrictions, videos can become temporarily unavailable for viewing or downloading. The video will automatically be made available again once that restriction ends.

Availability of videos for purchase, re-download, or access from a backup copy is determined by the owners of the content. On very rare occasions, a video you previously purchased may become unavailable.

Well, that's kind of crap. The video you "previously purchased" may become "unavailable" at the whims of "THE OWNERS OF THE CONTENT." No doubt wrinkles of incomprehension form on the brows of studio and label execs when customers make bizarre claims of "ownership" after purchasing movies and music. According to the execs, they only "licensed" the content to you (with all the billions of lousy stipulations that transaction entails). [Unless you're Eminem and demanding to be paid larger "license" royalties. In this specific case, you were sold actual songs.]

While this studio chicanery is nothing new, especially when it comes to digital goods, Amazon isn't helping matters by burying the exceptions and limitations that come with purchasing "indefinite" access. The licensing restrictions Rebecca had detailed for her by Amazon appear nowhere on the purchase pages. In fact, the "Amazon Instant Video Usage Rules" page carries none of this information either. Instead, it gives you this phrase and link:

Viewing Period: Indefinite — you may watch and re-watch your purchased videos as often as you want and as long as you want (subject to the limitations described in the Amazon Instant Video Terms of Use).

The TOS link brings you to a less-than-helpful wall of text, leaving the purchaser to scroll up and down before finding the pertinent information that explains exactly why something they purchased is unavailable.

Purchased Digital Content will generally continue to be available to you for download or streaming from the Service, as applicable, but may become unavailable due to potential content provider licensing restrictions and for other reasons, and Amazon will not be liable to you if Purchased Digital Content becomes unavailable for further download or streaming. You may download and store your own copy of Purchased Digital Content on a Compatible Device authorized for such download so that you can view that Purchased Digital Content if it becomes unavailable for further download or streaming from the Service.

Nice, huh? For any reason, your purchase may be limited, unavailable or removed completely by the "content provider." Amazon suggests (when it's done letting you know that "hey, not our fault") that the purchaser download and store their own copies to avoid being locked out of their purchases by the content providers. Well, thanks for the suggestion, Amazon, but even that half-assed "workaround" is useless thanks to the fact that the content provider can also make purchases "unavailable for further download." It's not as if Dreamworks is going to send an email blast letting customers know that their purchased streams are about to vanish thanks to a six-week run on pay-per-view. And the studios certainly aren't going to tell customers "Download now because we're yanking that movie from Amazon completely." Everyone involved would just rather the problem be dealt with when the angry emails start pouring in, if at all.

Now, Rebecca obviously prefers streaming, so getting shafted by the studios probably isn't going to drive her to massive torrenting. What it may do, however, is send her towards streaming services like Amazon Prime or Netflix. Because of its shortsighted urge to drain every last penny out of "Puss in Boots," Dreamworks seems willing to sacrifice actual "digital dollars" from Amazon Instant Video for the "digital dimes" of other streaming services. Of course, if the studio already has your $14.99, it's probably not very concerned about how satisfied you are with the spotty availability of your purchased movie license. It's not like Rebecca can return it. All she can do is wait for Dreamworks to reopen her (prepaid) window.

Streaming is becoming the preferred option for movies and music and Hollywood seems to be willing to fight it every step of the way. It's sad and it's ugly. The industry has crippled Hulu and Netflix (while offering nothing comparable of their own) and now seems ready and willing to kick Amazon and its customers around for as long as it can get away with it. It's one thing to play stupid games with content when customers are playing a flat rate for "all you can watch." It's quite another to yank content away from customers who have paid directly for a title at prices that rival a physical DVD purchase. That's not a "business model." That's abusing your customers for fun and profit.

from the ip-in-the-oatmeal dept

As we've mentioned before, it's interesting to watch copyright issues break into the mainstream and get attention from bigger and bigger sources. This time, Matthew Inman used his famous (and widely read) webcomic The Oatmeal to recount the moral quandary he was placed in when trying to watch Game of Thrones. It's hard to get the full effect without the whole comic, so you should really go read it—but here's a preview:

Of course, plenty of people have been saying this for years: the biggest driver of piracy is a lack of legitimate offerings. Unfortunately, the legacy players think (or at least claim) that they are being innovative with their offerings, even as their customers tell them otherwise. Hopefully, as people like Inman continue putting all-too-common stories like this into the spotlight, they will begin to get the message.

from the that's-not-buying dept

We pointed out that the early reviews of Hollywood's new UltraViolet DRM aren't particularly good, but the industry is still pushing forward with the idea. Leading the way is Warner Bros., who is trying to turn the movie-based "social network" it bought a few months ago, Flixster, into the central hub for your movies. The NY Times has an article about it, where it repeatedly claims that the strategy is all about trying to get people to "buy" movies again, rather than just rent them via Netflix of Redbox. Of course, I find this pretty funny, because nothing about UltraViolet is about actually "buying" anything. You're still renting -- and if things ever went to court over, say, your first sale rights to resell a movie you "purchased" using UltraViolet, you can bet that Warner Bros. would be first in line to claim that the license shows you're merely renting the movie, and not buying it. It's just that you're renting it on an open-ended timeline, basically until the studios bail on UltraViolet and shut down the servers.

Rob Pegoraro, in commenting on the article, notes that oddly, the article doesn't even mention DRM in talking about why people don't want to buy from the studios or the fact that it's still much more convenient to get the content by unauthorized means. But that concept still hasn't reached the brain trust at Warner Bros., who seems to insist that as long as you can access the movies you "bought" from anywhere, people will prefer that to file sharing. While it's great that they're at least trying to add benefits, to make it more valuable and worth paying for, the whole thing smacks of someone's father trying to "act cool" for his kids' friends. Warner Bros. still doesn't seem to understand why people like things like Netflix: the convenience. Everything about Ultraviolet sounds inconvenient, and that hardly makes anyone want to "buy."

from the oh-really? dept

Scott Wetterling was the first of a bunch of you to send in one of the many stories about how when 7-Eleven offers free slurpees, their sales of slurpees goes up. They say this is "odd behavior," but I don't buy that all. Free has been a compelling part of getting people to buy stuff for ages, even if that involves buying what is free. We've certainly seen this in other fields as well, such as when Cory Smith took his free MP3s off of his website... and immediately saw his iTunes sales plummet. People berate the use of free because they don't understand how it works. And, then, when it does work, they describe the behavior as "odd." Perhaps it's not odd at all once you realize how it works.

from the consumer-privacy dept

Remember how North Carolina was demanding that Amazon hand over pretty much all purchase info on every citizen who had ordered anything from the site? Thankfully, Amazon won that lawsuit, and was allowed to protect purchaser privacy. However, other states apparently didn't get the message. Michael Scott points us to the news that the state of Colorado, which had put in place a similar law, just got a preliminary injunction barring it from enforcing the law. While it's not a final ruling, it does mean that the companies protesting this law have established a "substantial likelihood" of prevailing. The ruling focuses on how the law violates the Commerce Clause in regulating interstate commerce (which state governments are not allowed to do). It doesn't directly discuss the privacy issues, other than indirectly to note that weighing the balance of potential "harms" it makes sense to block this law. If the law is later found to be legal, then the state can still get that info and collect taxes, but if the law is allowed to be enforced, it could violate people's privacy and other rights.

from the hope-you-didn't-buy-anything-embarrassing dept

For years, there have been attempts by states to get Amazon to collect sales tax on purchases in those states, even if Amazon doesn't actually have any facilities in those states. Historically, companies haven't needed to charge sales tax if they don't directly operate in those states since (the argument goes) they're not making use of state resources and thus shouldn't have to collect for the state. Of course, buyers are still supposed to pay the sales tax directly to the state -- though that almost never happens. Various states have worked on ways around this in blatant revenue grabs. For example, it's become popular for states to claim that if a particular state has any residents who have signed up as Amazon affiliates, Amazon now has a presence in that state. In response to this, Amazon has cut off affiliate programs in various states. One of those states was North Carolina.

It routinely provides the Revenue Department with "voluminous information" about its sales to North Carolina addresses as part of routine audits of the company's compliance with sales and use tax laws. The information includes the date and total price of each transaction, the city, county and ZIP code to which each item was shipped and Amazon's standard product code for each item, which allows officials to see the description of every product purchased.

But what it does not provide is the actual names and addresses -- and North Carolina threatened to charge Amazon with contempt if it didn't provide that info. In response, Amazon is now suing North Carolina, claiming that the demand to turn over such information is a massive breach of the First Amendment, in that it could create serious chilling effects on what people would buy if they knew that the gov't was reviewing all of their purchases.

It's hard to see how North Carolina has any case here at all. Demanding such information would be a huge breach of privacy and of individual rights -- all in a blatant attempt by the state to collect more revenue. Hopefully the courts shut down this overreach quickly.

from the how-many-more-do-we-need? dept

Pretty much every single non-industry-backed study has shown this same thing, but just for the record, here's yet another study showing that those who engage in unauthorized file sharing end up buying more media. The study, looking at the UK (home of the new proposal to kick people off the internet), wasn't even close. Those who engaged in unauthorized file sharing tended to spend £77 on media per year, while those who did not spent about £44. And yet file sharers are the enemy? And the industry wants to kick them offline so they discover less new content? How will that help?

from the but-they-just-want-stuff-for-free? dept

We've seen a bunch of studies like this in the past, but people keep submitting this, so figured we'd do a quick post on it. Yet another study has shown that people who are more active in unauthorized file sharing, also tend to spend more on authorized entertainment purchases. Now, to be fair, the study was paid for by a file sharing provider -- so, take it with a rather large grain of salt. But similar studies have been done in the past as well, and it seems to once again call into question the rallying cry in Hollywood that people just want stuff for free.